Upcoming Cyber Essentials Changes In 2025

With the proposed Cyber Essentials changes being introduced in April 2025, updates to the assessment standard may impact the associated time, cost, and certification requirements for many companies.

To achieve or maintain your Cyber Essentials Certification, contact our team or review any further information available here.

Changes To The Cyber Essentials Certification

Why The Standard Is Changing

The Cyber Essentials scheme undergoes regular changes each year to maintain updates with changing technology, ensure the cyber security standard continues to align with recommended cyber security best practices, and continues to protect organizations from the most common cyber threats and the ever evolving threat landscape.

When The Standard Is Changing

The changes to Cyber Essentials come into effect on 28th April 2025.

The changes to the certification standard will then apply to all submissions on or after this date.

For companies that register for certification before this date, but have yet to complete their assessment, they will still certify under the older Cyber Essentials requirements.

Prior Changes To The Cyber Essentials Standard

In previous updates to the standard, Multi-Factor Authentication has been introduced as a mandatory requirement for user accounts of Cloud Services which changed both the questionnaire and also the Cyber Essentials Plus practical tests.

The Impacts of Changes To Cyber Essentials

Many of the changes to Cyber Essentials can be considered minor and are often grammatical changes within the self-assessment questionnaire or associated documents.

However, some changes are introduced which can change the compliance requirements a company must align with, the technical controls that must be implemented, or the testing methods included within Cyber Essentials Plus.

• This can impact the requirements a company must align with, requiring time and resources to change an organization’s devices and network
• The changes can alter the assessor’s grading standards which impact a company’s ability to recertify with their previous self-assessment questionnaire
• The updates can alter the practical tests that are conducted during a Cyber Essentials Plus assessment, changing the time, testing requirements, and cost of assessment.

Do The Changes To Cyber Essentials Affect The Cost

While there isn’t a direct change to the price of certification this year, some of the changes to the Cyber Essentials Plus verification methods may impact the amount of time required to complete the assessment, which could have an indirect impact on the cost of recertification.

Updated Cyber Essentials Documentation

To review any of the specific changes or requirements the following current and updated documents can be reviewed or compared:

• Current Cyber Essentials Requirements for IT Infrastructure document
• Updated Cyber Essentials Requirements for IT Infrastructure document
• Current Cyber Essentials Self-Assessment Questionnaire Excel Document
• Updated Cyber Essentials Self-Assessment Questionnaire Excel Document
• Current Cyber Essentials Plus Test Specification document
• Updated Cyber Essentials Plus Test Specification document

Cyber Essentials Password Authentication Changes

The Current Standard

Within the current Cyber Essentials requirements for authentication, there are several sections which are referenced, including

• Credentials used to manage organization Firewalls under the Firewalls key control
• Credentials used to manage organization devices under the Secure Configuration key control
• Credentials used to manage organization accounts under the User Access Control key control

The authentication options provided for companies to be compliant with the Cyber Essentials scheme are currently:

• Multi-factor authentication, with a minimum password length of 8 characters and no maximum length
• Automatic blocking of common passwords, with a minimum password length of 8 characters and no maximum length
• A password minimum length of 12 characters and no maximum length

The Updated Standard

Within the updated Cyber Essentials requirements document an additional authentication option is now provided as Passwordless Authentication.

The methods that are included as an acceptable form of passwordless authentication now include:

• Biometric Authentication, such as Fingerprints and other biometric data
• Physical Devices, such as USB Security Keys
• One-Time Codes, such as those sent through email, text, or a mobile app
• Push Notifications, such as prompts presented from an app on a smartphone

The Impacts On Business Certification

For companies recertifying to Cyber Essentials, the updated password requirements may open additional options for implementing authentication standards and protecting devices and accounts from common cyber attacks.

However, as passwordless authentication methods typically still include a password as a backup solution, in case the passwordless methods fail, it is still necessary for the backup password to adhere to the requirements, such as

• Making sure the passwords adhere to the minimum length requirements
• Protecting the accounts from brute force attacks, through login restrictions, throttling, or Multi-Factor Authentication methods.

The verification methods to confirm authentication within Cyber Essentials Plus tests are still limited to Cloud Services implementing Multi-Factor Authentication and the separation of account permissions on end-user devices,

The changes to the authentication options currently don’t present a specific impact on the cost or time taken to complete the certification process for businesses.

Cyber Essentials Plus Verification Changes

The Current Standard

Under the current Cyber Essentials scheme, there are definitions within the Requirements for IT Infrastructure document and the self-assessment questionnaire that allow a company to define the scope of their organization.

This organization’s scope includes the number and type of devices, how networks are structured, and if any networks are segmented and not included within the scope of assessment.

When a Cyber Essentials Plus assessment is conducted, the scope of assessment and number of devices is assumed to be accurate and the assessor focuses on conducting practical tests against a sample of devices that represent the network as a whole.

The Updated Standard

Within the updated Cyber Essentials Plus Test Specification document, additional requirements are being introduced that no longer assume that the network and number of devices in scope are accurate, and instead require the assessor to collect verification evidence to confirm the information.

This is defined in the following sections of the specification document:

• “Verify by technical means that the scope of the Cyber Essentials Plus assessment matches the networks and systems being assessed”
  • As part of the practical assessment for Cyber Essentials Plus, it is now required to verify that the defined scope within the questionnaire matches the devices which are connected to your companies internal network.
• “Verify by technical means that when the Cyber Essentials self-assessment scope is not ‘Whole Organisation’, any sub-sets have been segregated effectively”
  • Although many companies certify their whole organization against the requirements, some organizations only certify a sub-set of their business. This can apply for different reasons such as when a company maintains offices in different countries, or has certain sections of their network which don’t align with the Cyber Essentials specification.

The updated requirements require the scope and segmentation to be verified through technical measures by the assessor.

The Impacts On Business Certification

The additional verification measures that an assessor needs to conduct can potentially impact the recertification process for businesses, as additional testing and evidence collection are required, which can:

• Change the access methods for connecting to a network or information-gathering methods to verify connected devices and segmentation
• Potentially require onsite visits for a previously remote assessment
• Increase the overall time of the assessment and therefore increase the price for recertification

The specific verification methods used may vary between companies depending upon their network setup, such as:

• With a traditional network, it may be possible to conduct device discovery scans to find each of the connected devices. It may also be possible to connect via one segmented network and verify the limited connectivity to the in-scope network.
• However, with more modern networks, which consist of remote working devices, or a mixture of devices that may not always be connected to a standard internal network, it may be necessary to review asset management software, as well as Virtual Local Area Networks (VLAN) or Firewall configuration information.

Changes To Cyber Essentials Security Update Management

The Current Standard

The Security Update Management control is one of the five key security controls defined within Cyber Essentials, alongside, Firewalls, Secure Configuration, User Access Control, and Malware Protection.

Within the Security Update Management section, there has always been a requirement to apply vendor-supplied “patches and updates” to resolve vulnerabilities within 14 days.

These updates are intended to apply to operating systems and network software installed on your organization’s devices.

The Updated Standard

The current definition of “patches and updates” has been concluded to leave out some important security fixes that do not require a patch or update.

These alternative security fixes to address vulnerabilities, may not fit under the definition of a patch or update but still resolve cyber threats that may be Critical or High-risk, such as:

• Changing a configuration setting,
• Implementing registry fixes, or
• Running scripts.

Leaving these types of remediation out of the previous definitions has potentially resulted in companies being able to achieve their Cyber Essentials certification while still being affected by vulnerabilities that may have been rated as Critical or High-risk.

The updated requirements will require businesses to apply all types of vulnerability fixes that resolve security issues in their systems.

The Impacts On Business Certification

With the newly updated requirements document, the definition of vulnerability fixes now operates as a blanket term to include any vendor-approved mechanism to fix vulnerabilities.

This can mean that for many organizations, the level of vulnerability patching that needs to be conducted may increase to resolve all vulnerabilities which:

• Are rated as Critical or High-risk vulnerabilities, as defined by the vendor
• Are Vulnerabilities graded as a CVSSv3 base score of 7.0 or above
• Have no risk rating provided by the vendor regarding the vulnerability
• Have vendor-provided vulnerability fixes available within 14 days

For companies recertifying to the Cyber Essentials scheme, this can have several impacts:

• Additional time and resources may need to be dedicated to testing and applying vulnerability fixes
• Applying registry fixes, configuration changes, and other updates may need to be trialed within smaller groups of devices and then rolled out to the rest of the business, leading to longer patching times
• Companies may see increased benefits from conducting regular vulnerability scanning throughout the year to avoid larger remediation work to be completed within short timeframes at the point of certification.

Additional Changes To Cyber Essentials Definitions

Some of the changes to the certification standard can often be considered relatively minor, such as changes to the definitions of terms.

These changes are often conducted each year, to more clearly define the intended meaning of specific text within the Cyber Essentials resources and documentation.

This is conducted regularly to refine the certification standard and to account for common questions and conditions that are often encountered by certification bodies.

The changes being made as part of the April 2025 updates include:

• The Cyber Essentials Requirements for IT Infrastructure document is being updated to change the term “plugins” to the term “extensions” to more accurately describe the intended meaning.
• The term “Home Working” has also been updated to “Home and Remote Working” to more clearly represent that working away from the office can include home working environments as well as travelling and remote working.

Conclusion

The Cyber Essentials scheme conducts regular changes to its certification standard each year to ensure achieving certification helps improve cyber security, and protects organisations from cyber-attacks and known security issues.

The updates to be applied as part of the April 2025 changes include:

• the technical controls that companies can apply to their accounts and authentication measures,
• the patching requirements that businesses must apply to their software and operating systems to verify vulnerability fixes, and ensure continued compliance with the security update management section
• the processes certification bodies must conduct within a Cyber Essentials Plus test, to verify the information within the self-assessment questionnaire is accurate

Where you have any further questions regarding different cybersecurity solutions or the Cyber Essentials process your company needs to work through, our consultants are available to address any concerns you may have.